Woman viewing cityscape from window

CMMC 2.0 Update

On November 4, 2021, the Department of Defense (DoD) announced long-anticipated changes to the Cybersecurity Maturity Model Certification (CMMC) program as a result of the internal review that began in March 2021.

Download the full article on: CMMC 2.0 Update

The updated model is being called CMMC 2.0. Summary of key changes include the following:

  • Streamlined model to eliminate Levels 2 and 4, leaving:
    • Level 1 — Foundational (equivalent to previous Level 1)
    • Level 2 — Advanced (equivalent to previous Level 3)
    • Level 3 — Expert (equivalent to previous Level 5)
  • CMMC-unique practices and all maturity processes are being eliminated
  • Certain levels will have assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs):
    • Level 1 contractors and a subset of Level 2 contractors will require annual self-assessments and submission of affirmations by senior company officials
    • Level 2 contractors managing information critical to national security will require an assessment by a C3PAO
    • Level 3 contractors will require triennial government-led assessments
  • Certifications can be achieved with an active Plan of Action and Milestones (POA&M) in limited circumstances; however, POA&Ms cannot be for highest-weighted requirements
  • CMMC waivers can be obtained in limited circumstances
  • DoD rulemaking to address the changes of CMMC 2.0 is expected to take 9 to 24 months and will require two distinct rulemaking processes:
  • Updates to Title 32 of the Code of Federal Regulations (CFR) 
  • Updates to applicable Defense Federal Acquisition Regulation Supplement (DFARS) contracting clauses and Title 48 of the CFR

Although CMMC will not be included as a requirement in any solicitation until the final rules are issued, the DoD is considering incentivizing organizations who undergo and pass a CMMC assessment by a C3PAO in the meantime. Potential incentives that are currently being considered include additional profit margins and source selection evaluation criteria that factors network security of the organization.

The path forward for organizations contracting with the government

While organizations in the Defense Industrial Base wait for the rule finalizations, they should continue their journey of improving their cybersecurity posture. For organizations that already have contracts that include the DFARS 252.204-7012 clause and are targeting Level 2 of CMMC 2.0, it is primarily a continuation of that effort with the main difference being that they will need to undergo an assessment by a C3PAO.

If your organization is targeting Level 1, don’t sigh in relief too early. Companies should be mindful of the annual assertions that are required and the potential risks, including False Claims Act (FCA) violations. Deputy Attorney General Lisa O. Monaco’s recent announcement regarding the creation of the Department of Justice’s Civil Cyber-Fraud Initiative indicates the government’s focus on FCA as a tool to pursue any assertions.


The Department of Defense announced changes to the Cybersecurity Maturity Model Certification. This overview of the updated model - CMMC 2.0 – outlines some of the key changes and what actions organizations should take.